modiloader | 2c7e36d7f10ff9b97bd4bf6c8a5a63f620b2aad8683984a54e12f97b73302a18

General

Target

Jqqzrja.exe
Size

944KB
MD5

08a179cfc5c59fe478a80f65b2a0f5b2
SHA1

d6648e3830f971162143d8e1d4a6054175559174
SHA256

2c7e36d7f10ff9b97bd4bf6c8a5a63f620b2aad8683984a54e12f97b73302a18
SHA512

b6b1d7b7b286174e5fdcdea3380174604326c849f6b1bf41ad0b2f440ca92a6705bfca7acaaf4ca0fdedf78f063076cd78c715e17d55e8198c6bb59836df71b4

Score

10^/10

modiloader warzonerat infostealer persistence rat trojan

Malware Config

Extracted

Family

warzonerat

C2

pentester01.duckdns.org:54788

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/648-382-0x0000000010670000-0x00000000107C6000-memory.dmp	warzonerat
behavioral2/memory/648-383-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Jqqzrja.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jqqzrja = "C:\\Users\\Public\\Libraries\\ajrzqqJ.url"	Jqqzrja.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1716 powershell.exe
1716 powershell.exe
1716 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1716 powershell.exe

pid	process
1716	powershell.exe
1716	powershell.exe
1716	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1716	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

Jqqzrja.execmd.execmd.exenet.exe

description	pid	process	target process
PID 4376 wrote to memory of 2248	4376	Jqqzrja.exe	cmd.exe
PID 4376 wrote to memory of 2248	4376	Jqqzrja.exe	cmd.exe
PID 4376 wrote to memory of 2248	4376	Jqqzrja.exe	cmd.exe
PID 2248 wrote to memory of 4736	2248	cmd.exe	cmd.exe
PID 2248 wrote to memory of 4736	2248	cmd.exe	cmd.exe
PID 2248 wrote to memory of 4736	2248	cmd.exe	cmd.exe
PID 4736 wrote to memory of 5072	4736	cmd.exe	net.exe
PID 4736 wrote to memory of 5072	4736	cmd.exe	net.exe
PID 4736 wrote to memory of 5072	4736	cmd.exe	net.exe
PID 5072 wrote to memory of 1192	5072	net.exe	net1.exe
PID 5072 wrote to memory of 1192	5072	net.exe	net1.exe
PID 5072 wrote to memory of 1192	5072	net.exe	net1.exe
PID 4736 wrote to memory of 1716	4736	cmd.exe	powershell.exe
PID 4736 wrote to memory of 1716	4736	cmd.exe	powershell.exe
PID 4736 wrote to memory of 1716	4736	cmd.exe	powershell.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe
PID 4376 wrote to memory of 648	4376	Jqqzrja.exe	logagent.exe

C:\Users\Admin\AppData\Local\Temp\Jqqzrja.exe
"C:\Users\Admin\AppData\Local\Temp\Jqqzrja.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Jqqzrjat.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\JqqzrjaO.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\net.exe
net session
4⤵
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
5⤵
PID:1192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
2⤵
PID:648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\Cdex.bat
Filesize
155B

MD5
213c60adf1c9ef88dc3c9b2d579959d2

SHA1
e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

SHA256
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

SHA512
fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

Download Submit
C:\Users\Public\Libraries\JqqzrjaO.bat
Filesize
1KB

MD5
df48c09f243ebcc8a165f77a1c2bf889

SHA1
455f7db0adcc2a58d006f1630fb0bd55cd868c07

SHA256
4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

SHA512
735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

Download Submit
C:\Users\Public\Libraries\Jqqzrjat.bat
Filesize
56B

MD5
837e820689849a69cc7d32fc47460bb0

SHA1
06fcf6e0e541f6ac08ed6340b8e8f4b4b020b51a

SHA256
0214ab1c3d47ab0221ba2e98769b3b84f9748f5b6b8b1c01d35214714d1b05a7

SHA512
0970d0e3f15c7699df880b3266c2e25a55ea6fe7aa38dd74325e6945d22b794a27b0ffbc247bdc479456f57d115658752e3c8b9c629e7d6179176bcef1ac9e0c

Download Submit
memory/648-381-0x0000000000000000-mapping.dmp

Download
memory/648-383-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/648-382-0x0000000010670000-0x00000000107C6000-memory.dmp

Filesize
1.3MB

Download
memory/1192-128-0x0000000000000000-mapping.dmp

Download
memory/1716-137-0x0000000007BC0000-0x0000000007C26000-memory.dmp

Filesize
408KB

Download
memory/1716-157-0x00000000096F0000-0x0000000009784000-memory.dmp

Filesize
592KB

Download
memory/1716-134-0x0000000007590000-0x0000000007BB8000-memory.dmp

Filesize
6.2MB

Download
memory/1716-135-0x0000000007290000-0x00000000072B2000-memory.dmp

Filesize
136KB

Download
memory/1716-136-0x0000000007430000-0x0000000007496000-memory.dmp

Filesize
408KB

Download
memory/1716-130-0x0000000000000000-mapping.dmp

Download
memory/1716-138-0x0000000007CA0000-0x0000000007FF0000-memory.dmp

Filesize
3.3MB

Download
memory/1716-139-0x0000000007570000-0x000000000758C000-memory.dmp

Filesize
112KB

Download
memory/1716-140-0x0000000008520000-0x000000000856B000-memory.dmp

Filesize
300KB

Download
memory/1716-141-0x0000000008380000-0x00000000083F6000-memory.dmp

Filesize
472KB

Download
memory/1716-150-0x00000000093F0000-0x0000000009423000-memory.dmp

Filesize
204KB

Download
memory/1716-151-0x00000000093D0000-0x00000000093EE000-memory.dmp

Filesize
120KB

Download
memory/1716-156-0x0000000009520000-0x00000000095C5000-memory.dmp

Filesize
660KB

Download
memory/1716-133-0x0000000004930000-0x0000000004966000-memory.dmp

Filesize
216KB

Download
memory/1716-350-0x0000000006EC0000-0x0000000006EDA000-memory.dmp

Filesize
104KB

Download
memory/1716-355-0x0000000006EB0000-0x0000000006EB8000-memory.dmp

Filesize
32KB

Download
memory/2248-123-0x0000000000000000-mapping.dmp

Download
memory/4736-125-0x0000000000000000-mapping.dmp

Download
memory/5072-127-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads